Digital Signature

What is Digital Signature

Literally digital signature is signature in digital format. But it doesn’t mean when you scan your signature into jpg image format then you paste it into your MS Word document is a valid digital signature. Because it lacks non-repudiation aspect of the signature in which is others can repudiate your signature by scanning your signature and paste it to valued documents. It also lacks integrity in which no one can justify whether the document free of tampering. This copy paste of scanned signature is not legally binding to all existing laws in the world.

Before we dive deeper into a valid digital signature, let’s see the historical event of digital signature. A lot of people are under the false impression that digital signature technology is some new, untested fad. The truth is that digital signatures have been around for decades, and they’re gaining popularity in the mainstream. Here are some of the milestones in the history of digital signature technology:

1976: Whitfield Diffie and Martin Hellman first described the idea of a digital signature scheme, but they only theorized that such schemes existed

1977: Ronald Rivest, Adi Shamir and Len Adleman invented the RSA algorithm, which could be used to produce a kind of primitive digital signature

1988: Lotus Notes 1.0, which used the RSA algorithm, became the first widely marketed software package to offer digital signatures

1999: The ability to embed digital signatures into documents is added to PDF format

2000: The ESIGN Act makes digital signatures legally binding

2002: SIGNiX is founded and becomes the most broadly used cloud-based digital signature software

2008: The PDF file format becomes an open standard to the International Organization for Standardization (ISO) as ISO 32000. Includes digital signatures as integral part of format.

You can digitally sign a document for many of the same reasons why you might place a handwritten signature on a paper document. A digital signature is used to help authenticate the identity of the creator of digital information – such as documents, and e-mail messages – by using cryptographic algorithms.

Digital signatures are based on digital certificates. Digital certificates are verifiers of identity issued by a trusted third party, which is known as a certification authority (CA). This works similarly to the use of standard identity documents in a non-electronic environment. For example, a trusted third party such as a government entity or employer issues identity documents – such as driver’s licenses, passports and employee ID cards – on which others rely to verify that a person is whom he or she claims to be.

Digital certificates can be issued by CAs within an organization, such as a Windows Server 2003 server that is running Windows Certificate Services, or a public CA, such as VeriSign or Thawte. For legal binding to Indonesian Law (UU ITE 2008), we need to acquire digital certificate from trusted CA.

What digital signatures accomplish

Digital signatures help establish the following authentication measures:
Authenticity The digital signature helps ensure that the signer is whom he or she claims to be. This helps prevent others from pretending to be the originator of a particular document (the equivalent of forgery on a printed document).

Integrity The digital signature helps ensure that the content has not been changed or tampered with since it was digitally signed. This helps prevent documents from being intercepted and changed without knowledge of the originator of the document.

Non-repudiation The digital signature helps prove to all parties the origin of the signed content. “Repudiation” refers to the act of a signer’s denying any association with the signed content. This helps prove that the originator of the document is the true originator and not someone else, regardless of the claims of the signer. A signer cannot repudiate the signature on that document without repudiating his or her digital key, and therefore other documents signed with that key.

Requirements for digital signatures

To establish these conditions, the content creator must digitally sign the content by using a signature that satisfies the following criteria:

The digital signature is valid. A CA (certificate authority) that is trusted by the operating system must sign the digital certificate on which the digital signature is based.

The certificate that is associated with the digital signature is not expired.

The signing person or organization (known as the publisher) is trusted by the recipient.

The certificate associated with the digital signature is issued to the signing publisher by a trusted CA.

Microsoft Office 2007 and higher version (Word, Excel, and PowerPoint) detect these criteria for you and warn you if there appears to be a problem with the digital signature. Information about problematic certificates is easily viewed in a certificate task pane that appears in the Microsoft Office system application. MS Office system applications let you add multiple digital signatures to the same document.
Adobe PDF Reader also able to detect those criteria.

Digital signatures in the business environment

The following scenario illustrates how digital signing of documents can be used in a business environment:

An employee uses Office Excel to create an expense report. The employee then creates three signature lines: one for herself, one for her manager, and one for the accounting department. These lines are used to identify that the employee is the originator of the document, that no changes will occur in the document as it moves to the manager and the accounting department, and that there is proof that both the manager and the accounting department have received and reviewed the document.

The manager receives the document and adds her digital signature to the document, confirming that she has reviewed and approved it. She then forwards it via email to the accounting department for payment.

A representative in the accounting department receives the document and signs it.
This example demonstrates the ability to add multiple signatures to a single MS Office system document. In addition to the digital signature, the signer of the document can add a graphic of her actual signature, or use a Tablet PC to actually write a signature into the signature line in the document.

Another scenario illustrates digital signature implementation in business contract between company A who sell service to company B.

Company A prepare the contract document (in MS Word of PDF), then add two signature columns in it; CEO of both companies.

CEO of company A signs the document using his digital certificate; then send it to company B via email.

Company B receives the contract document

CEO of company B signs the document using his own digital certificate

Company B sends this both signed contract document to its distribution list (persons who may concerns to the contract); and also sends to company A.

Company A sends this both signed contract document to its distribution list.
Both company keep the fully signed contract document as a legal binding document. Whenever the document has been tampered, the MS Word or Adobe PDF Reader will alert the user who open it.

Digital Certificate Cost

Currently digital certificates costs vary from USD 20 to USD 200. If you choose the certificate in USB token, you might need to allocate another USD 100 extra.

Note: There are a lot of online solution for digital signature without need to bother certificate issuing and installation such as DocSign, iSign, etc. The disadvantages of those solutions are you need to upload the document into their system that you might find it risky and its pricing is somehow more expensive than certificate based. Not to mention that the online signature doesn’t allow us to retrieve the digital certificate which is useful for securing email channel.